Problem solve Get help with specific problems with your technologies, process and projects.

The telltale signs of a network attack

Some people believe that if IP addresses from China are attacking their network, then they are under attack from China. Expert John Strand explains why all that it is irrelevant.

I work for a professional services organization that does a lot of contract IT work for U.S. government agencies. I've read about recent reports concluding that malicious Chinese hackers have consistently penetrated government and related networks, and obviously an organization like ours could be in jeopardy as well. What are some telltale signs that such attackers are attempting to or have already penetrated our network and stealing data?
There seems to be a great amount of buzz about nation-states engaging in low-level cyberattacks against each other. Some people believe that if IP addresses from China are attacking their network, then they are under attack from China. Personally, I believe that it is irrelevant.

Any country or non-state actor could attack you at any time, and it could come from anywhere.

It therefore becomes increasingly important to develop a security plan that profiles attackers. Many organizations immediately attempt to remove the source and symptoms of an attack without much interest in analyzing the skill of the attackers, or determining what the hackers were after. There are really two security approaches that can be helpful here: honeypots and extrusion detection technology.

Honeypots are systems that act as bait for attackers. Either set them to mimic standard desktops or server-class machines. In either case, there are machines that should never be interacted with. As soon as someone from the outside engages them, begin monitoring every action on the network and on the hosts to see what the attackers are doing. Before diving into this sort of project, however, I recommend taking the time to become familiar with the tools and reference papers at the Honeynet Project, a research organization designed to share ideas on the subject.

I would also start looking at your outbound traffic. What websites are visited? Where are they located? What protocols (i.e. ICMP, and UDP) are leaving your network? With this approach, instead of assuming that the attackers are outside trying to get in, instead the focus is on the traffic leaving the network and verifying all of it. I recommend network monitoring tools like Wireshark and BotHunter to cut through the tremendous amount of data being reviewed. It will be difficult at first, but these tools will turn up some surprising results, and your team will learn more about the environment they are protecting (which is always a good thing).

This was last published in April 2009

Dig Deeper on Emerging cyberattacks and threats